Ubuntu20.04 L2TP VPN连接不工作

Question

我正在尝试将我的Ubuntu20.04安装与我的公司VPN连接起来。基于SOPHOS防火墙的VPN。根据IT部门提供的详细信息，我们应该使用L2TP连接与IPsec和预共享密钥。根据我在网络上找到的所有手册，标准配置根本不起作用。我已经向IT部门报告了这个问题，他们做了一些测试。事实证明，他们无法成功地连接Ubuntu安装，但他们成功地连接了CentOS 8，没有任何问题。他们不会再做任何测试了。我和其他同事是唯一一个在工作中使用linux的人。所以我投入了一些时间，并试图找出一个理由。

我已经在VM上安装了CentOS，并尝试与公司VPN连接。新安装并不是所有必需的包。我已经安装了一次：

NetworkManager-l2tp.x86_64                         1.8.6-5.el8        @epel
NetworkManager-l2tp-gnome.x86_64                   1.8.6-5.el8        @epel
libreswan.x86_64                                   3.32-7.el8_3       @appstream
nss-tools.x86_64                                   3.53.1-17.el8_3    @appstream
ppp.x86_64                                         2.4.7-26.el8_1     @baseos
strongswan.x86_64                                  5.9.1-1.el8        @epel
unbound-libs.x86_64                                1.7.3-14.el8       @appstream
xl2tpd.x86_64                                      1.3.15-1.el8       @epel 

安装上述软件包后，VPN连接工作正常，没有任何问题。默认情况下，我已经检查了在Ubuntu中安装了什么。不同的是，在Ubuntu中，libreswan和strongswan不能同时安装。我在互联网上读到过，这可能是strongswan的一个问题(Ubuntu的默认设置)。我已经移除strongswan并安装了libreswan。同样的效果连接不起作用。出于测试的目的，我已经在家里的NAS上设置了相同类型的VPN服务器。Ubuntu默认安装工作正常。当我切换到libreswan时，与那个VPN的连接不再工作了。我认为重要的是，我不能用CentOS与我的家庭服务器创建VPN链接。

为了进行测试，我从源代码中编译了libreswan，以确保使用了最新版本。

当试图连接到office时，系统日志：

May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9585] audit: op="connection-activate" uuid="ac38efb7-59d6-4dcb-98bf-bf0145318677" name="CC-OFFICE" pid=2968 uid=1000 result="success"
May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9618] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Started the VPN service, PID 24875
May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9676] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Saw the service appear; activating connection
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change:  2
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: virtual NMVariantMapMap SecretAgent::GetSecrets(const NMVariantMapMap&, const QDBusObjectPath&, const QString&, const QStringList&, uint)
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Path: "/org/freedesktop/NetworkManager/Settings/4"
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Setting name: "vpn"
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Hints: ()
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Flags: 4
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change:  3
May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9841] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: (ConnectInteractive) reply received
May  1 14:52:35 T480-SA nm-l2tp-service[24875]: Check port 1701
May  1 14:52:35 T480-SA nm-l2tp-service[24875]: Can't bind to port 1701
May  1 14:52:35 T480-SA NetworkManager[24889]: Stopping strongSwan IPsec failed: starter is not running
May  1 14:52:38 T480-SA NetworkManager[24886]: Starting strongSwan 5.8.2 IPsec [starter]...
May  1 14:52:38 T480-SA NetworkManager[24886]: Loading config setup
May  1 14:52:38 T480-SA NetworkManager[24886]: Loading conn 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:38 T480-SA charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.8.0-50-generic, x86_64)
May  1 14:52:38 T480-SA charon: 00[CFG] PKCS11 module '<name>' lacks library path
May  1 14:52:38 T480-SA charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May  1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May  1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May  1 14:52:38 T480-SA charon: 00[CFG]   loaded IKE secret for %any
May  1 14:52:38 T480-SA charon: 00[CFG] loaded 0 RADIUS server configurations
May  1 14:52:38 T480-SA charon: 00[CFG] HA config misses local/remote address
May  1 14:52:38 T480-SA charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May  1 14:52:38 T480-SA charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May  1 14:52:38 T480-SA charon: 00[JOB] spawning 16 worker threads
May  1 14:52:38 T480-SA charon: 06[CFG] received stroke: add connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:38 T480-SA charon: 06[CFG] added configuration 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:39 T480-SA charon: 09[CFG] rereading secrets
May  1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.secrets'
May  1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May  1 14:52:39 T480-SA charon: 09[CFG]   loaded IKE secret for %any
May  1 14:52:39 T480-SA charon: 10[CFG] received stroke: initiate 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:39 T480-SA charon: 12[IKE] initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May  1 14:52:39 T480-SA charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V ]
May  1 14:52:39 T480-SA charon: 12[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:43 T480-SA charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 1
May  1 14:52:43 T480-SA charon: 16[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May  1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May  1 14:52:49 T480-SA NetworkManager[24963]: Stopping strongSwan IPsec...
May  1 14:52:49 T480-SA NetworkManager[24934]: initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May  1 14:52:49 T480-SA NetworkManager[24934]: generating ID_PROT request 0 [ SA V V V V V ]
May  1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:49 T480-SA NetworkManager[24934]: sending retransmit 1 of request message ID 0, seq 1
May  1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:49 T480-SA NetworkManager[24934]: destroying IKE_SA in state CONNECTING without notification
May  1 14:52:49 T480-SA NetworkManager[24934]: establishing connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677' failed
May  1 14:52:49 T480-SA charon: 00[DMN] signal of type SIGINT received. Shutting down
May  1 14:52:49 T480-SA charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
May  1 14:52:49 T480-SA nm-l2tp-service[24875]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
May  1 14:52:49 T480-SA NetworkManager[1240]: <info>  [1619873569.1349] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN plugin: state changed: stopped (6)
May  1 14:52:49 T480-SA NetworkManager[1240]: <info>  [1619873569.1382] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN service disappeared
May  1 14:52:49 T480-SA NetworkManager[1240]: <warn>  [1619873569.1393] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

谢谢您的任何建议，我怎样才能解决这个问题。

Answer 1

能否从以下页面安装较新的网络管理器-L2TP 1.8.6：

• https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

由于您使用的是KDE等离子-nm，不需要安装网络管理器-L2TP-GNOME包。

在IPsec设置中，请不要填写第一和第二阶段的算法，将其保留为空白。strongswan的charon目前在上述日志中的主模式(即阶段1)失败。

但看起来它甚至无法与VPN服务器联系并接收响应。如果超过了网络管理器-L2TP在建立IPsec连接中的10秒超时，它就会杀死(即向/usr/sbin/ipsec进程发送SIGINT )。

您能否安装ike扫描包并运行以下ike-scan.sh脚本：

• https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals

运行以下命令将确认是否能够从Ubuntu联系VPN服务器(地址为123.54.76.9)：

sudo ipsec stop
sudo ./ike-scan.sh 123.54.76.9 | grep SA=

您提到了您编译了libreswan，但是上面的日志似乎表明strongswan正在使用。如果您想使用libreswan，我将坚持Ubuntu20.04附带的libreswan包的旧版本，因为它比以后的版本更兼容(除非您使用遗留构建标志构建新版本)。虽然libreswan和强start不能同时安装在Ubuntu上，但当您尝试安装另一个时，其中一个会替换另一个，这对于网络管理器-L2TP来说是很好的，因为它会自动检测在VPN连接开始时使用哪一个。

如果在SO磷VPN服务器上使用strongswan，据报道您需要禁用强天鹅统一插件：

• https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#strongswan-no-acceptable-traffic-selectors-found

显然，索弗斯VPN服务器使用Libreswan，所以理论上如果在客户端使用Libreswan，Libreswan应该提供更好的兼容性。

虽然在本例中尚未出现问题，但CentOS在默认情况下没有运行系统xl2tpd，但是Ubuntu运行，请参阅关于如何禁用系统xl2tpd的以下内容：

• https://github.com/nm-l2tp/NetworkManager-l2tp#issue-with-not-stopping-system-xl2tpd-service